Conduent Data Breach: Government Contractor Leaks Data of Tens of Millions of Americans
Disclosure: This article contains affiliate links. We may earn a commission at no extra cost to you.
First it was 4 million. Then 26 million. Now the real number could be over 100 million.
Conduent, one of America's largest government technology contractors, has been drip-feeding the truth about a catastrophic data breach for over a year. The company processes sensitive data for government healthcare programs that serve more than 100 million Americans. The SafePay ransomware gang had access to its systems for nearly three months and stole 8.5 terabytes of data, including Social Security numbers, medical records, and health insurance information.
The breach is a textbook example of everything wrong with how companies handle cyberattacks: delayed disclosure, minimized numbers, boilerplate statements, and a refusal to be transparent about the true scope of the damage.
The scale: Texas alone has 15.4 million victims (half the state's population). Oregon adds another 10.5 million. Hundreds of thousands more across Delaware, Massachusetts, New Hampshire, and other states. Conduent refuses to confirm the total number.
Timeline: How the Breach Unfolded
To understand just how badly this was handled, let's walk through the timeline:
| Date | What Happened |
|---|---|
| Oct 21, 2024 | SafePay gains initial access to Conduent's systems |
| Oct 2024 - Jan 2025 | Hackers have unrestricted access for 84 days |
| Jan 13, 2025 | Conduent finally detects and stops the intrusion |
| Jan 2025 | Ransomware attack knocks out Conduent's operations for days, disrupting government services across the US |
| Feb 20, 2025 | SafePay claims responsibility, says it stole 8.5TB of data |
| Apr 2025 | Conduent publicly discloses the breach (3 months after detection) |
| Oct 2025 | Conduent claims 4 million people affected in Texas |
| Feb 2026 | Numbers explode: 15.4M in Texas, 10.5M in Oregon, hundreds of thousands more in other states |
Let that sink in. Hackers lived inside Conduent's network for 84 days before anyone noticed. They had enough time to steal 8.5 terabytes of the most sensitive data imaginable. And the company still hasn't finished notifying victims over a year later.
What Was Stolen
The stolen data reads like a checklist for identity theft:
- Social Security numbers - the master key to identity fraud in the US
- Full names - combined with SSNs, enough to open credit lines
- Medical data - diagnosis records, treatment information
- Health insurance information - policy numbers, coverage details
This isn't just a privacy violation. Medical data is permanent. You can change your password, get a new credit card, even get a new phone number. You cannot change your medical history or your Social Security number. This data will be exploitable for the rest of these people's lives.
Why medical data is the most valuable: On the dark web, medical records sell for 10-40x more than credit card numbers. They enable insurance fraud, prescription drug scams, and medical identity theft, where someone uses your identity to receive healthcare, contaminating your medical records with their information.
The Disclosure Minimization Playbook
Perhaps the most infuriating aspect of this breach is how Conduent has handled the disclosure. The pattern is depressingly familiar:
Delay as Long as Possible
The breach was detected in January 2025. Public disclosure came in April, three months later. Hackers claimed responsibility in February. The public was the last to know.
Minimize the Numbers
In October 2025, Conduent told Texas that 4 million people were affected. By February 2026, that number had quietly quadrupled to 15.4 million, which is half the state's population. Add Oregon's 10.5 million and the numbers from other states, and the confirmed total is already north of 26 million.
Refuse to Answer Questions
When TechCrunch contacted Conduent with specific questions about the breach, spokesperson Sean Collins provided a boilerplate statement that didn't address a single question. The company won't say how many people are affected. It won't say if the number exceeds 100 million. It won't say how many breach notifications it has sent.
Use Vague Language in Filings
In its SEC filing, Conduent described the stolen data as containing "a significant number of individuals' personal information associated with our clients' end-users." That's corporate-speak for "we won't tell you how bad it really is."
The question Conduent won't answer: The company says it supports more than 100 million Americans through government healthcare programs. Were all of their records exposed? Conduent refuses to say.
Who Is SafePay?
The breach was claimed by a ransomware group called SafePay. The group posted their claim on dark web leak sites, stating they had exfiltrated 8.5 terabytes of data from Conduent.
🚨🚨🇺🇸Conduent has Allegedly Been Claimed a Victim to SAFEEPAY Ransomware
— Dark Web Informer (@DarkWebInformer) February 20, 2025
8.5TB of alleged stolen data pic.twitter.com/6psfKGHz7S
To put 8.5 terabytes in perspective: that's roughly 8,500 gigabytes. A typical text document is about 50 kilobytes. That means the stolen data could contain the equivalent of 170 million documents. Enough to hold detailed records on every single person Conduent serves.
Ransomware groups typically follow a pattern:
- Gain access through phishing, exploited vulnerabilities, or stolen credentials
- Move laterally through the network, escalating privileges
- Exfiltrate data to external servers (in this case, 8.5TB over 84 days)
- Deploy ransomware to encrypt systems and demand payment
- Double extortion: threaten to publish stolen data if ransom isn't paid
The fact that SafePay had 84 days of undetected access suggests serious gaps in Conduent's security monitoring. Exfiltrating 8.5 terabytes of data generates significant network traffic. Modern security tools should catch this kind of activity within hours or days, not months.
The Third-Party Risk Problem
Conduent is a Business Process Outsourcing (BPO) company. It doesn't create the data it holds. It processes it on behalf of government agencies and healthcare organizations. This is a critical distinction.
When you interact with a government healthcare program, you're not choosing to share your data with Conduent. You probably don't even know Conduent exists. But the government trusted this company with your Social Security number, your medical records, and your insurance information.
This is the fundamental problem with third-party data processing:
- You have no say in which contractors handle your data
- You have no visibility into their security practices
- The data chain extends beyond the organization you actually interact with
- A single contractor becomes a single point of failure for millions of people
- Accountability is diffuse - it's harder to hold a contractor responsible than the government agency itself
The bigger picture: This isn't unique to Conduent. The Mixpanel tracking breach exposed 201 million records through a third-party analytics vendor. The French ISP Free breach happened through weak VPN authentication. Third-party risk is the biggest blind spot in data security today.
The Growing Scale of Data Breaches
The Conduent breach is part of a disturbing trend. Data breaches are getting bigger, and the data being stolen is getting more sensitive.
| Breach | Year | Records | Data Type |
|---|---|---|---|
| Conduent | 2025 | 26M+ (possibly 100M+) | SSNs, medical, insurance |
| Change Healthcare | 2024 | 100M+ | Medical, insurance, SSNs |
| National Public Data | 2024 | 2.9 billion records | SSNs, addresses, names |
| MOVEit | 2023 | 77M+ | Various government data |
| Anthem | 2015 | 78.8M | Medical, SSNs, income |
Healthcare breaches are especially devastating because medical data cannot be reset or replaced. Once your diagnosis history, insurance claims, and treatment records are in criminal hands, they're exploitable forever.
What You Should Do
If you use government healthcare services in the United States, especially in Texas, Oregon, Delaware, Massachusetts, or New Hampshire, you should assume your data may have been compromised. Here's what to do:
Immediate Steps
- Freeze your credit with all three bureaus (Equifax, Experian, TransUnion). This is free and prevents anyone from opening new accounts in your name
- Monitor your health insurance statements for claims you didn't make. Medical identity theft is harder to detect than financial fraud
- Check if you've been notified. Conduent says it plans to finish notifying affected individuals by early 2026. If you haven't received a letter, that doesn't mean you're safe
- Request your medical records from your healthcare providers to establish a baseline you can compare against if fraudulent claims appear later
Long-Term Protection
- Use a password manager and unique passwords for every account, especially healthcare portals
- Enable two-factor authentication on all accounts that support it
- Be skeptical of unsolicited contact claiming to be from healthcare organizations. Scammers will use stolen data to make phishing attempts more convincing
- Monitor your credit reports regularly at AnnualCreditReport.com
- Consider an IRS Identity Protection PIN to prevent tax fraud using your stolen SSN
Privacy tip: A VPN won't protect you from a breach at a company that already has your data, but it does protect your ongoing internet activity from ISP tracking and network surveillance. Check your current exposure at myip.foo and test for DNS leaks and WebRTC leaks.
Where's the Accountability?
Conduent's handling of this breach raises serious questions about accountability:
- How did 8.5TB leave the network undetected? Modern data loss prevention tools should flag this kind of exfiltration
- Why was initial disclosure delayed by months? Affected individuals deserve to know as soon as possible so they can take protective action
- Why were the numbers so drastically underreported? Going from 4 million to 15.4 million in a single state suggests either incompetence or deliberate minimization
- Why won't Conduent confirm the total? If you process data for 100+ million people and suffer a massive breach, the public deserves a straight answer
In Europe, GDPR requires breach notification within 72 hours and imposes significant fines for failures. The US has no equivalent federal standard, leaving a patchwork of state laws that companies can navigate slowly while victims remain in the dark.
Common Questions
What happened in the Conduent data breach?
The SafePay ransomware gang breached Conduent, a major US government contractor, and had access to its systems from October 21, 2024 to January 13, 2025. They stole 8.5 terabytes of data including Social Security numbers, names, medical data, and health insurance information.
How many people are affected?
At least 26 million people across Texas (15.4 million) and Oregon (10.5 million), plus hundreds of thousands in other states. Conduent serves over 100 million Americans and refuses to confirm the total number of victims.
What data was stolen?
Social Security numbers, full names, medical data, and health insurance information. This is permanent, sensitive data that cannot be changed or reset, making it exploitable for the victims' entire lives.
How long did the hackers have access?
84 days, from October 21, 2024 to January 13, 2025. During this time, they exfiltrated 8.5 terabytes of data without detection.
What should I do if my data was exposed?
Freeze your credit with all three bureaus, monitor health insurance statements for fraudulent claims, enable two-factor authentication on all accounts, and consider an IRS Identity Protection PIN. See the detailed steps above.
Conclusion
The Conduent breach is a masterclass in everything wrong with how data breaches are handled in the United States. A government contractor with access to the most sensitive data of over 100 million Americans gets hacked for three months, stonewalls on the numbers, and still hasn't finished notifying victims over a year later.
Key takeaways:
- SafePay ransomware gang stole 8.5TB of data during 84 days of undetected access
- At least 26 million Americans confirmed affected (15.4M Texas + 10.5M Oregon + more)
- Stolen data includes SSNs, medical records, and health insurance info
- Conduent initially reported 4 million victims, then the number kept growing
- The company refuses to confirm whether 100+ million people are affected
- Third-party contractors are the biggest blind spot in data security
The uncomfortable truth is that you can do everything right: use strong passwords, enable two-factor authentication, be careful what you share online. And then a company you've never heard of, processing your data without your explicit consent, gets breached because they couldn't detect hackers in their network for almost three months.
That's not a technology problem. That's an accountability problem.
Take control of what you can: You can't prevent a third-party breach, but you can minimize your ongoing exposure.
- Check your IP and connection at myip.foo
- Test for DNS leaks that expose your browsing
- Test for WebRTC leaks that bypass VPN protection
- Use a VPN like NordVPN to encrypt your connection
Sources
- TechCrunch: Conduent data breach affects far more people than first disclosed
- SEC Filing: Conduent Incorporated (CNDT) April 2025 disclosure
- SEC Filing: Conduent Incorporated (CNDT) 10-Q September 2025
- Security.nl: Dienstverlener Conduent lekt gegevens van tientallen miljoenen Amerikanen
Related Articles
- What the PornHub Data Breach Teaches Us About Third-Party Tracking
- French ISP Free Fined €42M After Data Breach Exposes 5 Million IBANs
- Everything You Know About Passwords Is Wrong: NIST 2025 Guidelines
- GDPR vs CCPA: Privacy Laws Explained (2026 Guide)
- Dutch City Uploads Thousands of Personal Files to ChatGPT